How effective are signature-based anti-malware defenses against zero-day malware and re-crafted malware? This month, Secunia, a reputable information security intelligence firm, published a report called “Internet Security Suite Test, October 2008” that found the average detection rate by leading signature-based anti-malware suites to be 4.7% (i.e., less than five percent!) for what they called “Important” malware samples.

The vast majority of enterprise and consumer PCs rely on signature-based anti-malware defense. I often refer to this as legacy AntiVirus software.

Why were the results so awful? Secunia rolled their own malware for these tests. None of the malware in their test came from the wild. Therefore, none of the vendors had signatures on record for the malware tested. Malware-makers have begun to systematically alter the signatures of their malware to elude these signature-based detection mechanisms. From this perspective, the Secunia test simulates the world we live in now. Similarly, in August, an information security firm called Cyveillance published another realistic test where they evaluated vendors against malware only found active in the month of July 2008.

One can argue that both of these tests better represent the real threat than the tests we typically see published. The others evaluate the vendors against all or most malware samples found throughout history. Well, with a perfect and omnipresent malware detector (theoretical), we would only find a fraction of all historical malware in the month of October, for example. So tests that show detection rates for vendors for all of that known and historical malware give us a misleading interpretation that make the vendors look much better than they would be in protecting your PCs from today’s threat.

Clearly, legacy AntiVirus vendors have been adding other detection methods to their products or these tests would have yielded zero detections for all of the vendors. But, what they have added does not seem to be effective. Less than five percent!

To be fair to the vendors, most of the Secunia malware samples did not actually attempt to carry out attacks, such as triggering an arbitrary executable to run or implanting a simulated rootkit into the system32 directory. Their proof of concept samples went so far as to demonstrate that vulnerabilities in common software applications could be exploited. Some malware defense mechanisms merely block ‘naughty’ actions that result from exploits of vulnerabilities. So, if Secunia had a couple dozen more engineers to add the ‘naughty actions’ to each of their ‘proof of concept’ malware samples, we may have seen more detections (i.e., blocked actions). That is, if any of those products employ ‘blocking mechanisms’ as a last line of defense to malware attacks.

My recommendation to anyone with the patience to have read this rant: shop for something to supplement your legacy AntiVirus software. Be certain to consider usability in whatever you assess. Complex, inconvenient tools tend to be partially utilized or completely disabled. There’s no perfect defense. Look for something that stops most attacks without the medicine itself becoming a problem.

Related Articles:

Is a PC Using a Limited User Account (LUA) Safe from Drive-by Download Attacks?

Why Should UnPatched PC Software Concern You?

(Beladen) Websites Unknowingly Attacking PCs

Botnets Inside the Gates, Every PC Must Defend Itself

Never Ending Vulnerabilities for Web Browsers

Two Web Browsers can be More Secure than One

Posted: Tuesday, October 14th, 2008 - Endpoint Security
RSS 2.0 - Comment - Trackback